The Transportation Security Administration, the Department of Homeland Security agency tasked with overseeing the security of oil and natural gas pipelines, put in place new pipeline cybersecurity requirements Wednesday morning.
The TSA order marks the first mandatory cybersecurity practices for pipelines, and what some expect will be the first of more standards that the government puts in place to regulate how critical infrastructure operators protect networks and systems.
“I’ve said for a while: when we started getting into areas where cyber began to manifest more clearly into the physical world, in people’s public health, their safety; when their direct lives were more affected, we would begin to see more push towards greater regulation,” said Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the Cyber Threat Alliance industry threat sharing group.
The order contains three components. First, pipeline operators will be required to alert the Cybersecurity and Infrastructure Security Agency of all cybersecurity incidents. Second, they will need to install a designated, always available coordinator to handle any problems. Finally, pipelines will need to audit systems within 30 days to make sure they are in line with cybersecurity guidelines that had not previously been mandatory or enforced, and develop a plan to plug any gaps.
“This is step one in the immediate wake of the Colonial Pipeline incident, to be followed by more,” a senior official told reporters in a conference call Tuesday evening.
The recent Colonial Pipeline ransomware attack resulted in a temporary shutdown of the main delivery system for gasoline across the East Coast. The Washington Post first reported on Monday that the TSA was set to release an order responding to the Colonial incident.
The TSA has been in charge of pipeline cybersecurity since agencies divvied up responsibility for critical infrastructure after 9/11. The TSA oversaw the first pipeline cybersecurity guidelines, released in 2010, through the most recent guidelines released in 2018. The latest iteration aslo provides TSA the authority to fine companies not in compliance with the cybersecurity order.
But some industry leaders question whether the TSA is ideally constructed to take on a broad regulatory role, particularly with the heightened threat of cyberattacks against critical infrastructure.
“The TSA is a terrible agency for cyber, and it is too small to really do anything of subsequent nature for critical infrastructure,” said Ron Brash, director of cyber security insights for critical infrastructure cybersecurity firm Verve Industrial, speaking to SC before the release of the order.
DHS officials told reporters the TSA is adequately staffed not only to oversee the current order but for future actions in the space. TSA has worked with CISA and Idaho National Labs to train personnel and says it will lean on CISA for advice. Officials believe the TSA’s continued work with pipeline operators has demonstrated a collaborative relationship they will be able to build upon as they take on a more regulatory role.
The TSA is scheduled to conduct 52 total voluntary cybersecurity assessments of pipeline operators in 2021, 23 of which have already been completed.
Daniel said that the TSA role in pipeline cybersecurity seems counterintuitive in retrospect because it is the consequence of a time when physical security was the primary goal. But he warned against dividing oversight of cybersecurity and physical security, “Over time, as the threats to critical infrastructure have shifted more and the cyber realm has become equally-if-not-more important than some of the physical threats, nobody has really looked at the allocation of lead agencies, or whether to have a different lead agency for cyber threats versus physical threats,” he said. “But there are reasons not to split those.”
The Biden Administration has taken a particularly active stance on infrastructure cybersecurity, with an electric grid cybersecurity executive order signed earlier this year expected to be the first of several sector-specific orders. Indeed, Daniel is among those in the cybersecurity community that predicts more to come. It’s a bold statement in response to a years-old debate about the appropriate role of government in regulating these sectors, which are predominantly privately owned.
And though the TSA order is the first explicitly regulatory move by Biden for infrastructure, there is a history of regulation breeding better cybersecurity practices within critical infrastructure sectors. For example, regulation drove a major change in cybersecurity of the electric grid when standards were put in place by the North American Electric Reliability Corp., said Verve Industrial CEO John Livingston.
“There’s lots of reasons why NERC’s stuff isn’t perfect, but NERC brought the utility from a one to a five on a 10 point scale,” he said. “It’s hard for a CEO who’s trying to manage the bottom line to say, ‘Oh, I’m now going to spend 2% of the budget on security,’ unless they’re told they have to and everybody else in their industry does.”
He assesses pipeline cybersecurity currently as “a one. It’s low.”
Both energy and pipelines represent distributed systems, where centralized control centers manage nation spanning equipment. There are a few different wrinkles with pipeline security in general, however. As the East Coast saw with Colonial, pipelines are not redundant, making single organizations choke points for entire regions. But electricity and gas are intrinsically linked, Livingston said, which makes them practical picks for initial regulatory efforts.
“Twenty-five percent of our infrastructure is powered by natural gas. If you shut down the pipelines, you shut down a significant portion of the generation capacity,” Livingston said. “And so, if we’re going to protect the grid, you have to protect pipelines.”